A definitive guide to meeting FCA record-keeping obligations under SYSC 9, COBS, ICOBS, and DISP — with practical retention schedules and storage recommendations.
FCA record-keeping requirements are scattered across multiple sourcebooks — SYSC 9, COBS, ICOBS, DISP, and SUP — each with different retention periods, formats, and access requirements. For insurance firms handling high volumes of policies, claims, and customer interactions, this creates a complex web of obligations that is difficult to manage without a structured approach.
The consequences of inadequate record-keeping are felt most acutely during regulatory investigations, complaints disputes, and FOS referrals. If you cannot produce the records the FCA or Ombudsman requests — or if those records are incomplete, disorganised, or inaccessible — your firm is immediately on the back foot. The FCA has the power to draw adverse inferences from missing records.
Many firms also underestimate the interaction between FCA retention requirements and UK GDPR data protection obligations. Retaining records for too long creates data protection risk; disposing of them too early creates regulatory risk. Getting the balance right requires a clear, documented retention schedule that accounts for both regimes.
An effective record-keeping framework starts with a comprehensive retention schedule that maps every record type to its FCA sourcebook requirement, specifies the minimum and maximum retention period, defines the required format, and identifies the responsible team. This schedule becomes the single source of truth for what to keep, how long to keep it, and when to dispose of it.
The framework must be supported by systems that enforce the retention schedule automatically — flagging records approaching their disposal date, preventing premature deletion, and providing instant access when records are requested by regulators, the Ombudsman, or internal audit. Manual record management at scale is simply not viable.
Importantly, the framework should also address the quality of records, not just their existence. Under SYSC 9.1.1R, records must be sufficient to enable the FCA to monitor compliance. This means records must be complete, accurate, contemporaneous, and organised in a way that allows efficient retrieval.
Follow these steps to create a record-keeping framework that meets FCA requirements, supports regulatory enquiries, and balances retention obligations with data protection duties.
Identify every type of record your firm creates or receives in the course of regulated activities. This includes policy documentation, demands and needs statements, suitability reports (if applicable), claims files, complaints records, financial promotions, call recordings, electronic communications, training records, compliance monitoring reports, and board minutes. Map where each record type is currently stored and in what format.
Cross-reference each record type against the applicable FCA sourcebook. Key requirements include: SYSC 9.1.1R (general obligation to maintain orderly records for at least 5 years), COBS 9.5 (suitability records for 5 years), ICOBS 4 (insurance distribution records), DISP 1.9 (complaints records for 3 years from the date of complaint), and SUP 15A (transaction reporting records for 5 years). Some records — such as pension transfer files — must be retained indefinitely.
For each record type, also define a maximum retention period based on UK GDPR principles. Personal data must not be kept longer than necessary for the purpose for which it was collected. Where the FCA requires a minimum retention period, you can justify retaining data for that period — but you need a clear rationale for any retention beyond the regulatory minimum.
Create a formal retention schedule document that lists each record type, the applicable FCA rule, the minimum retention period, the maximum retention period, the storage location, the format requirements, and the responsible team. This schedule should be approved by senior management and reviewed at least annually.
Implement technology controls that enforce your retention schedule. This includes automatic classification of records at the point of creation, retention period tagging, automated alerts when records approach their disposal date, and workflow-based disposal approval. Ensure records cannot be deleted before their minimum retention period expires without senior approval.
Records must be accessible and retrievable within a reasonable timeframe when requested by the FCA, the FOS, or internal audit. Define service level standards for retrieval — for example, electronic records within 24 hours, archived physical records within 5 business days. Test your retrieval capability periodically to ensure it works in practice.
Define a formal disposal procedure that includes verification that the retention period has expired, confirmation that no litigation hold or regulatory investigation prevents disposal, approval by an appropriate person, secure destruction (for physical records) or permanent deletion (for electronic records), and logging of the disposal for audit purposes.
Ensure all relevant staff understand the record-keeping requirements that apply to their role. Include record-keeping in your compliance monitoring programme, with periodic checks on record completeness, accuracy, and adherence to the retention schedule.
Records are most valuable — and most credible — when created at or near the time of the event they document. Encourage staff to complete file notes, demands and needs records, and decision logs immediately rather than retrospectively. The FCA places significant weight on contemporaneous records.
Implement standard naming conventions and classification taxonomies across all record types. This dramatically improves retrieval speed and reduces the risk of records being misfiled, overlooked, or duplicated.
Where the FCA requires you to retain a record of a transaction or interaction, retain the complete record — including call recordings, email threads, and system screenshots — not just a summary or file note. Summaries can be challenged; complete records cannot.
Ensure your systems record who created, accessed, modified, and disposed of each record. This audit trail should be tamper-proof and time-stamped. It is essential evidence of good governance and can be critical in defending against regulatory allegations.
When upgrading or replacing systems, ensure that historical records are migrated or remain accessible in the legacy system for the full retention period. System changes are a common cause of record loss, particularly for older records approaching the end of their retention period.
Covering SYSC 9, COBS, ICOBS, DISP, and SUP with minimum and maximum periods.
Records retrievable within defined timeframes for regulatory requests.
Identify potential gaps in your fca compliance processes with our free self-assessment tool. Not a substitute for professional advice.
Try these related tools — no sign-up required.
What to keep, when to delete, and how to balance UK GDPR storage limitation with FCA record-keeping and long-tail claims obligations.
fca complianceA practical guide to preparing for FCA supervisory visits, skilled person reviews, and internal compliance audits — with checklists, common findings, and response strategies.
fca complianceMap, document, and maintain clear accountability structures under the Senior Managers and Certification Regime to meet FCA expectations and avoid enforcement action.
SwiftCase helps insurance firms manage retention schedules, automate disposal workflows, and retrieve records instantly — ensuring FCA compliance without manual overhead.
